Pages

Wednesday, 4 December 2013

Amcache.hve in Windows 8 - Goldmine for malware hunters

Corey Harell has uploaded an excellent writeup on the working of Windows Application Experience and Compatibility features. Here he explains how process entries/traces show up in locations such as the ShimCache and RecentFileCache.bcf. For forensic/malware analysts, this is a great place to search for recent processes that were run.

This post is a logical continuation of Corey's post. In Windows 8, the 'RecentFileCache.bcf' file has been replaced by a registry hive named 'Amcache.hve'. The location of this file is the same as its predecessor:<DRIVE>\Windows\AppCompat\Programs\Amcache.hve

This file stores information about recently run applications/programs. Some of the information found here includes Executable full path, File timestamps (Last Modified & Created), File SHA1 hash, PE Linker Timestamp, some PE header data and File Version information (from Resource section) such as FileVersion, ProductName, CompanyName and Description.

The Hive

Amcache is a small hive. Below is a view of the hive loaded in encase. There are only 4 keys under a 'Root' key. (Folders in the registry are called keys). The data of interest to us is located in the 'File' key. Files are grouped by their volume GUIDs. These are the same Volume GUIDs that you can find in the SYSTEM hive under MountedDevices and also under NTUSER.DAT MountPoints2.

File References

Under each volume guid are File Reference keys each representing a single unique file. In case of an NTFS volume, this key name will look something like this: e0000430d.This is the NTFS File Id and sequence number. Here sequence number is 0eand file id is 0000430d. For FAT volumes it is unknown what this value represents. On a FAT volume, this File Reference is the byte offset of the Directory entry for that file, ie, the offset from the start of volume where this file's directory entry resides.

The Last Modified date on this key may be taken as the first time a particular application was run. I have not seen it change on subsequent runs. Under this key reside several values holding details about that file. Refer the illustration below. This is for a file on a FAT volume on external USB disk.

Value Names are in hexadecimal and range from 0 to 17 and then two extra entries for 100 and 101 are seen. Here are the descriptions I have been able to decipher so far.

Value

Description

Data Type

0

Product Name

UNICODE string

1

Company Name

UNICODE string

2

File version number only

UNICODE string

3

Language code (1033 for en-US)

DWORD

4

SwitchBackContext

QWORD

5

File Version

UNICODE string

6

File Size (in bytes)

DWORD

7

PE Header field - SizeOfImage

DWORD

8

Hash of PE Header (unknown algorithm)

UNICODE string

9

PE Header field - Checksum

DWORD

a

Unknown

QWORD

b

Unknown

QWORD

c

File Description

UNICODE string

d

Unknown, maybe Major & Minor OS version

DWORD

f

Linker (Compile time) Timestamp

DWORD - Unix time

10

Unknown

DWORD

11

Last Modified Timestamp

FILETIME

12

Created Timestamp

FILETIME

15

Full path to file

UNICODE string

16

Unknown

DWORD

17

Last Modified Timestamp 2

FILETIME

100

Program ID

UNICODE string

101

SHA1 hash of file

UNICODE string

I've written an encase Enscript to parse out this information to the console. Download v6 enscript here or v7 enscript here. This is code, not an enpack, so anyone can easily translate to python or perl or another open platform.
It outputs Amcache information as shown below:

The Unexplained

There are two Last Modified timestamps (11 and 17). I have noticed that the timestamp in 17 is almost always 1 second behind the timestamp for 11. This is a bit of a mystery, it is probably due to conversion to a DOS timestamp and back.

The SHA1 hash is a vital bit of information that MS has added, as now we can track malware even if its deleted/wiped itself from the system. Also, since the hive stores data about volume guids and file references, it can also be added to the list of location to review to aid in tracking of USB devices.

7 comments:

I've got a Windows 8.1 laptop that I pulled the AmCache.hve file from and opened it in WRR...something that may be of interest is the Programs subkey. Beneath this key are subkeys for Programs, and the Files value data (multiple strings) appear to refer back to the File key data that you mentioned...

That is correct, I haven't researched the full details of this key yet. I have only seen it refer to installed programs, each having a reference to an uninstall key and a control panel item (usually Add/Remove Programs) in addition to some of the other properties similar to the File reference keys (Product name, company name, etc..).

Thats correct Harlan, the Programs key represents installed programs (with uninstall info) and the files referenced are part of that program package which can include 100s of dlls, exes and other code. Most of them can be found in the Files key. I'm posting a followup to this post later tomorrow which talks about it and the other keys.